120 lines
4.1 KiB
PowerShell
120 lines
4.1 KiB
PowerShell
function Update-AWSProfile {
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Update AWS Profile credentials file with temporary assumed role credentials.
|
|
|
|
.DESCRIPTION
|
|
Update AWS Profile credentials file with temporary assumed role credentials.
|
|
|
|
.PARAMETER Profile
|
|
[string] The AWS profile name to update.
|
|
|
|
.PARAMETER MfaCode
|
|
[string] The MFA code from the AWS-associated MFA device. If not provided, will be prompted to enter.
|
|
|
|
.PARAMETER SessionDurationSeconds
|
|
[uint16] The session duration in seconds for the temporary assumed role. Valid values are 900 seconds (15 minutes) to 43200 seconds (12 hours).
|
|
If not provided, will default to 43200.
|
|
|
|
.EXAMPLE
|
|
Update-AWSProfile -Profile 'Prod'
|
|
|
|
.EXAMPLE
|
|
Update-AWSProfile -Profile 'Prod' -MfaCode '123456'
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Mandatory = $true)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[string]$Profile,
|
|
|
|
[Parameter(Mandatory = $false)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[string]$MfaCode = $null,
|
|
|
|
[Parameter(Mandatory = $false)]
|
|
[ValidateRange(900, 43200)]
|
|
[uint16]$SessionDurationSeconds = 43200
|
|
)
|
|
|
|
$logLead = (Get-LogLeadName)
|
|
$tempProfile = "temp-" + $Profile.ToLower()
|
|
$helpUrl = 'https://confluence.alkami.com/x/hrMHB'
|
|
|
|
Import-AWSModule
|
|
|
|
try {
|
|
|
|
Get-STSCallerIdentity -ProfileName $tempProfile | Out-Null
|
|
Write-Verbose "$logLead : Credentials for profile [$tempProfile] are still valid; exiting."
|
|
return
|
|
|
|
} catch {
|
|
|
|
Write-Verbose "$logLead : No valid credentials associated with profile [$tempProfile]; proceeding"
|
|
}
|
|
|
|
$profileLocation = ( Get-AWSCredential -ListProfileDetail | Where-Object { $_.ProfileName -eq 'default' } | Select-Object -First 1 ).ProfileLocation
|
|
if ( [string]::IsNullOrEmpty( $profileLocation ) ) {
|
|
|
|
Write-Error "$logLead : Unable to locate default profile location. Check your configuration per [$helpUrl]."
|
|
return
|
|
}
|
|
|
|
$profileCred = Get-AWSCredential -ProfileName $Profile
|
|
if ( $null -eq $profileCred ) {
|
|
|
|
Write-Error "$logLead : Unable to locate the profile named [$Profile]. Check your configuration per [$helpUrl]."
|
|
return
|
|
|
|
} elseif ( [string]::IsNullOrEmpty( $profileCred.RoleArn ) ) {
|
|
|
|
Write-Error "$logLead : Unable to locate the role ARN for [$Profile]. Check your configuration per [$helpUrl]."
|
|
return
|
|
|
|
} elseif ( [string]::IsNullOrEmpty( $profileCred.Options.MfaSerialNumber ) ) {
|
|
|
|
Write-Error "$logLead : Unable to locate the MFA serial number for [$Profile]. Check your configuration per [$helpUrl]."
|
|
return
|
|
}
|
|
|
|
if ( $false -eq $PSBoundParameters.ContainsKey( 'MfaCode' ) ) {
|
|
|
|
$MfaCode = Read-Host -Prompt "Enter MFA code to assume role [$($profileCred.RoleArn)]"
|
|
}
|
|
|
|
$assumedCred = (Use-STSRole -RoleArn $profileCred.RoleArn -SerialNumber $profileCred.Options.MfaSerialNumber `
|
|
-RoleSessionName $tempProfile -TokenCode $MfaCode -DurationInSeconds $SessionDurationSeconds).Credentials
|
|
if ( $null -eq $assumedCred ) {
|
|
|
|
Write-Error "$logLead : Unable to assume role [$($profileCred.RoleArn)]. Check your MFA code and retry."
|
|
return
|
|
|
|
} elseif ( [string]::IsNullOrEmpty( $assumedCred.AccessKeyId ) ) {
|
|
|
|
Write-Error "$logLead : No access key provided by [$($profileCred.RoleArn)] credential."
|
|
return
|
|
|
|
} elseif ( [string]::IsNullOrEmpty( $assumedCred.SecretAccessKey ) ) {
|
|
|
|
Write-Error "$logLead : No secret access key provided by [$($profileCred.RoleArn)] credential."
|
|
return
|
|
|
|
} elseif ( [string]::IsNullOrEmpty( $assumedCred.SessionToken ) ) {
|
|
|
|
Write-Error "$logLead : No session token provided by [$($profileCred.RoleArn)] credential."
|
|
return
|
|
}
|
|
|
|
Set-AWSCredential `
|
|
-StoreAs $tempProfile `
|
|
-ProfileLocation $profileLocation `
|
|
-AccessKey $assumedCred.AccessKeyId `
|
|
-SecretKey $assumedCred.SecretAccessKey `
|
|
-SessionToken $assumedCred.SessionToken
|
|
|
|
Write-Verbose "$logLead : Updated profile [$tempProfile]."
|
|
}
|